Information Security



Information Security


 


Faced with various information security threats nowadays, CTCI has adopted ISO 27001 standards for information risk management since 2014, and is committed to reducing the likelihood and impact from security risks as well as improving the company's ability to carry on business operations. An information security promotion committee was also established, with the President serving as the chairman of the committee. The committee is responsible for the promotion of information security and holds at least one information security management review meeting every year, where they review the risk assessment report, "risk treatment plans," and other matters related to information security management. The outcome of information management needs to be reported to the Board each year.
 
A complete notification process has been set up for information security-related issues. The Information Security Promotion Committee assists the Chairman of the Information Security Promotion Committee to manage information security goals. Director Johnny Shih, who has a master's degree in computer science and an MBA degree from Columbia University in the United States, has solid IT background and is able to provide professional advice related to information security.
 
In response to the increasing importance of information security and in compliance with the requirements for Level 2 publicly listed companies of Taiwan's Financial Supervisory Commission, an independent organization has been established to carry out audit operations.


  










CTCI understands that it is necessary to continuously improve with the PDCA approach when it comes to managing security risks. Three measures, including expanding skills, initiating change, and sharing knowledge, are supplemented to ensure the effectiveness of the overall information security management. In terms of expanding skills, employees who specialize in information technology are encouraged to participate in various types of security-related conferences (such as the CYBERSEC), where they can learn about the latest security solutions directly from the supplier. In terms of initiating changes, new control measures, such as USB blocking, digital control for the confidential and sensitive documents, private wireless network restrictions, physical isolation in the test area, strengthening backup management and conducting simulated hacker attacks as part of third-party vulnerability analysis, are introduced to reduce the chances of risk occurrence or impact. In terms of sharing knowledge, apart from offline trainings, courses such as social engineering attack prevention and key security advocacy are recorded as digital materials for colleagues to study online.






Information Security Risk Assessments


Through the annual information security risk assessments, CTCI has analyzed the possible threats and weaknesses, which include:






 


Investments and Trainings on Information Security


CTCI continues to invest resources in information security every year, including strengthening information security facilities, improving security management systems, and providing education and trainings, and among others. They are fully implemented in terms of  management to technical aspects, so as to boost overall information security. To prevent incidents from happening, first of all, we conduct simulated hacker attacks as part of third-party vulnerability analysis. Second, we perform information Business Continuity Plan at Kaohsiung's backup computer facility every half year. Third, we incorporate weekly remote backup and testing of important system data. Fourth, we conduct biannual vulnerability scanning.




For the Advanced Persistent Threat (APT) that has prevailed in recent years, CTCI has adopted the following control measures to reduce the possibility and impact of risks.








 


In response to the increasingly serious threats of malicious and phishing emails, as well as remote working by company's employees due to the pandemic, CTCI conducted drills with realistic social engineering emails consistent with the latest trends in 2022 to cultivate and increase employee vigilance through these exercises.